System for Automated Computer Support

ABSTRACT

Systems and methods for providing automated computer support are described herein. One described method comprises receiving a plurality of snapshots from a plurality of computers, storing the plurality of snapshots in a data store, and creating an adaptive reference model based at least in part on the plurality of snapshots. The described method further comprises comparing at least one of the plurality of snapshots to the adaptive reference model, and identifying at least one anomaly based on the comparison.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/467,780 filed Aug. 25, 2014, which is a continuation of U.S. patentapplication Ser. No. 13/342,636 filed Jan. 3, 2012, now U.S. Pat. No.8,819,005, which is a continuation of U.S. patent application Ser. No.13/020,877 filed Feb. 4, 2011, now U.S. Pat. No. 8,103,664, which is acontinuation of U.S. patent application Ser. No. 12/548,742 filed Aug.27, 2009, now U.S. Pat. No. 7,908,271, which is a divisional of U.S.patent application Ser. No. 10/916,956 filed Aug. 11, 2004, now U.S.Pat. No. 7,593,936, which claims the benefit of U.S. Provisional PatentApplication No. 60/494,225, filed Aug. 11, 2003, the entireties of eachof which are hereby incorporated by reference.

FIELD OF THE INVENTION

The present invention relates generally to systems and methods forautomated computer support.

BACKGROUND

As information technology continues to increase in complexity, problemmanagement costs will escalate as the frequency of support incidentsrises and the skill set requirements for human analysts become moredemanding. Conventional problem management tools are designed to reducecosts by increasing the efficiency of the humans performing thesesupport tasks. This is typically accomplished by at least partiallyautomating the capture of trouble ticket information and by facilitatingaccess to knowledge bases. While useful, this type of automation hasreached the point of diminishing returns as it fails to address thefundamental weakness in the support model itself, its dependence onhumans.

Table 1 illustrates the distribution of labor costs associated withincident resolution in the conventional, human-based support model. Thedata shown is provided by Motive Communications, Inc. of Austin, Tex.(www.motive.com), a major supplier of help desk software. The highestcost items are those associated with tasks that require human analysisand/or interaction (e.g. Diagnosis, Investigation, Resolution).

TABLE 1 Support Tasks % Labor Cost Simple and Repeated Problems (30%)Desktop Configuration (User inflicted)  4% Desktop Environment (Softwaremalfunction)  9% Networking and Connectivity  7% How To (questions) 10%Complex & Dynamic Problems (70%) Triage (Identify user and supportentitlement)  7% Diagnosis (Analyze state of machine) 11% Investigation(Find the source of the problem) 35% Resolution and Repair (Walk userthrough the repair) 18%

Conventional software solutions for automated problem managementendeavor to decrease these costs and add value across a wide range ofservice levels. Forrester Research, Inc. of Cambridge, Mass.(www.forrester.com) provides a useful characterization of these servicelevels. Forrester Research divides conventional automated computersupport solutions into five service levels, including: (1)Mass-Healing—solving incidents before they occur; (2)Self-Healing—solving incidents when they occur; (3) Self-Service—solvingincidents before a user calls; (4) Assisted Service—solving incidentswhen a user calls; and (5) Desk-side Visit—solving incidents when allelse fails. According to Forrester, the cost per incident using aconventional self-healing service is less than one dollar. However, thecost quickly escalates, reaching more than three hundred dollars perincident if a desk-side visit is eventually required.

The objective of Mass Healing is to solve incidents before they occur.In conventional systems, this objective is achieved by making all PCconfigurations the same, or at a minimum, ensuring that a problem foundon one PC cannot be replicated on any other PCs. Conventional productstypically associated with this service level consist of softwaredistribution tools and configuration management tools. Security productssuch as anti-virus scanners, intrusion detection systems, and dataintegrity checkers are also considered part of this level since theyfocus on preventing incidents from occurring.

The conventional products that attempt to address this service leveloperate by constraining the managed population to a small number ofknown good configurations and by detecting and eliminating a relativelysmall number of known bad configurations (e.g. virus signatures). Theproblem with this approach is that it assumes that: (1) all good and badconfigurations can be known ahead of time; and (2) once they are knownthat they remain relatively stable. As the complexity of computer andnetworking systems increases, the stability of any particular node inthe network tends to decrease. Both the hardware and software on anyparticular node is likely to change frequently. For example, manysoftware products are capable of automatically updating themselves usingsoftware patches accessed over an internal network or the Internet.Since there are an infinite number of good and bad configurations andsince they change constantly, these conventional self-healing productscan never be more than partially effective.

Further, virus authors continue to develop more and more clever viruses.Conventional virus detection and eradication software depends on theability to identify a known pattern to detect and eradicate a virus.However, as the number and complexity of viruses increases, theresources required to maintain a database of known viruses and fixes forthose viruses combined with the resources required to distribute thefixes to the population of nodes on a network becomes overwhelming. Inaddition, a conventional PC utilizing a Microsoft Windows operatingsystem includes over 7,000 system files and over 100,000 registry keysall of which are multi-valued. Accordingly, for all practical purposes,an infinite number of good states and an infinite number of bad statesmay exist, making the task of identifying the bad states morecomplicated.

The objective of the Self-Healing level is to sense and automaticallycorrect problems before they result in a call to the help desk, ideallybefore the user is even aware that a problem exists. ConventionalSelf-Healing tools and utilities have existed since the late 80s whenPeter Norton introduced a suite of PC diagnostics and repair tools(www.Symantec.com). These tools also include tools that allow a user torestore a PC to a restore point set prior to installation of a newproduct. However, none of the conventional tools work well under realworld conditions.

One fundamental problem of these conventional tools is the difficulty increating a reference model with sufficient scope, granularity, andflexibility to allow “normal” to be reliably distinguished from“abnormal”. Compounding the problem is the fact that the definition of“normal” must constantly change as new software updates and applicationsare deployed. This is a formidable technical challenge and one that hasyet to be conquered by any of the conventional tools.

The objective of the Self-Service level is to reduce the volume of helpdesk calls by providing a collection of automated tools and knowledgebases that enable end users to help themselves. ConventionalSelf-Service products consist of “how to” knowledge bases andcollections of software solutions that automate low risk, repetitivesupport functions such as resetting forgotten passwords. Theseconventional solutions have a significant downside in that they increasethe likelihood of self-inflicted damage. For this reason they arelimited to specific types of problems and applications.

The objective of the Assisted Service level is to enhance humanefficiency by providing an automated infrastructure for managing aservice request and by providing capabilities to remotely control apersonal computer and to interact with end users. Conventional AssistedService products include help desk software, online reference materials,and remote control software.

While the products at this service level are perhaps the most mature ofthe conventional products and solutions described herein, they stillfail to fully meet the requirements of users and organizations.Specifically, the ability of these products to automatically diagnoseproblems is severely limited both in terms of the types of problems thatcan be correctly identified as well as the accuracy of the diagnosis(often multiple choice).

A Desk-Side Visit becomes necessary when all else fails. This servicelevel includes any “hands-on” activities that may be necessary torestore a computer that cannot be diagnosed/repaired remotely. It alsoincludes tracking and managing these activities to ensure timelyresolution. Of all the service levels, this level is most likely torequire significant time from highly trained, and therefore expensive,human resources.

Conventional products at this level consist of specialized diagnostictools and software products that track and resolve customer problemsover time and potentially across multiple customer servicerepresentatives.

Thus, what is needed is a paradigm shift, which is necessary tosignificantly reduce support costs. This shift will be characterized bythe emergence of a new support model in which machines will serve as theprimary agents for making decisions and initiating actions.

SUMMARY

Embodiments of the present invention provide systems and methods forautomated computer support. One method according to one embodiment ofthe present invention comprises receiving a plurality of snapshots froma plurality of computers, storing the plurality of snapshots in a datastore, and creating an adaptive reference model based at least in parton the plurality of snapshots. The method further comprises comparing atleast one of the plurality of snapshots to the adaptive reference model,and identifying at least one anomaly based on the comparison. In anotherembodiment, a computer-readable medium (such as, for example randomaccess memory or a computer disk) comprises code for carrying out such amethod.

These embodiments are mentioned not to limit or define the invention,but to provide examples of embodiments of the invention to aidunderstanding thereof.

Illustrative embodiments are discussed in the Detailed Description, andfurther description of the invention is provided there. Advantagesoffered by the various embodiments of the present invention may befurther understood by examining this specification.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects, and advantages of the presentinvention are better understood when the following Detailed Descriptionis read with reference to the accompanying drawings, wherein:

FIG. 1 illustrates an exemplary environment for implementation of oneembodiment of the present invention;

FIG. 2 is a block diagram illustrating a flow of information and actionsin one embodiment of the present invention;

FIG. 3 is a flow chart illustrating an overall process of anomalydetection in one embodiment of the present invention; and

FIG. 4 is a block diagram illustrating components of an adaptivereference model in one embodiment of the present invention;

FIG. 5 is a flow chart illustrating a process of normalizing registryinformation on a agent in one embodiment of the present invention;

FIG. 6 is a flow chart illustrating a method for identifying andresponding to an anomaly in one embodiment of the present invention;

FIG. 7 is a flow chart illustrating a process for identifying certaintypes of anomalies in one embodiment of the present invention;

FIG. 8 is a flow chart illustrating a process for generating an adaptivereference model in one embodiment of the present invention;

FIG. 9 is a flow chart, illustrating a process for proactive anomalydetection in one embodiment of the present invention;

FIG. 10 is a flow chart, illustrating a reactive process for anomalydetection in one embodiment of the present invention;

FIG. 11 is a screen shot of a user interface for creating an adaptivereference model in one embodiment of the present invention;

FIG. 12 is a screen shot of a user interface for managing an adaptivereference model in one embodiment of the present invention;

FIG. 13 is a screen shot of a user interface for selecting a snapshot touse for creation of a recognition filter in one embodiment of thepresent invention;

FIG. 14 is a screen shot of a user interface for managing a recognitionfilter in one embodiment of the present invention;

FIG. 15 is a screen shot illustrating a user interface for selecting a“golden system” for use in a policy template in one embodiment of thepresent invention; and

FIG. 16 is a screen shot of a user interface for selecting policytemplate assets in one embodiment of the present invention.

DETAILED DESCRIPTION

Embodiments of the present invention provide systems and method forautomated computer support. Referring now to the drawings in which likenumerals indicate like elements throughout the several figures, FIG. 1is a block diagram illustrating an exemplary environment forimplementation of one embodiment of the present invention. Theembodiment shown includes an automated support facility 102. Althoughthe automated support facility 102 is shown as a single facility in FIG.1, it may comprise multiple facilities or be incorporated into the sitewhere the managed population resides. The automated support facilityincludes a firewall 104 in communication with a network 106 forproviding security to data stored within the automated support facility102. The automated support facility 102 also includes a Collectorcomponent 108. The Collector component 108 provides, among otherfeatures, a mechanism for transferring data in and out of the automatedsupport facility 102. The transfer routine may use a standard protocolsuch as file transfer protocol (FTP) or hypertext transfer protocol(HTTP) or may use a proprietary protocol. The Collector component alsoprovides the processing logic necessary to download, decompress, andparse incoming snapshots.

The automated support facility 102 shown also includes an Analyticcomponent 110 in communication with the Collector component 108. TheAnalytic component 110 includes hardware and software for implementingthe adaptive reference model described herein and storing the adaptivereference model in a Database component 112. The Analytic component 110extracts adaptive reference models and snapshots from a Databasecomponent 112, analyzes the snapshot in the context of the referencemodel, identifies and filters any anomalies, and transmits responseagent(s) when appropriate. The Analytic component 110 also provides theuser interface for the system.

The embodiment shown also includes a Database component 112 incommunication with the Collector component 108 and the Analyticcomponent 110. The Database component 112 provides a means for storingdata from the agents and for the processes performed by an embodiment ofthe present invention. A primary function of the Database component maybe to store snapshots and adaptive reference models. It includes a setof database tables as well as the processing logic necessary toautomatically manage those tables. The embodiment shown includes onlyone Database component 112 and one Analytic component 110. Otherembodiments include many Database and or Analytic components 112, 110.One embodiment includes one Database component and multiple Analyticcomponents, allowing multiple support personnel to share a singledatabase while performing parallel analytical tasks.

An embodiment of the present invention provides automated support to amanaged population 114 that may comprise a plurality of client computers116 a,b. The managed population provides data to the automated supportfacility 102 via the network 106.

In the embodiment shown in FIG. 1, an Agent component 202 is deployedwithin each monitored machine 116 a, b. The Agent component 202 gathersdata from the client 116. At scheduled intervals (e.g., once per day) orin response to a command from the Analytic component 110, the Agentcomponent 202 takes a detailed snapshot of the state of the machine inwhich it resides. This snapshot includes a detailed examination of allsystem files, designated application files, the registry, performancecounters, processes, services, communication ports, hardwareconfiguration, and log files. The results of each scan are thencompressed and transmitted in the form of a Snapshot to a Collectorcomponent 108.

Each of the servers, computers, and network components shown in FIG. 1comprise processors and computer-readable media. As is well known tothose skilled in the art, an embodiment of the present invention may beconfigured in numerous ways by combining multiple functions into asingle computer or alternatively, by utilizing multiple computers toperform a single task.

The processors utilized by an embodiment of the present invention mayinclude, for example, digital logic processors capable of processinginput, executing algorithms, and generating output as necessary insupport of processes according to the present invention. Such processorsmay include a microprocessor, an ASIC, and state machines. Suchprocessors include, or may be in communication with, media, for examplecomputer-readable media, which stores instructions that, when executedby the processor, cause the processor to perform the steps describedherein.

Embodiments of computer-readable media include, but are not limited to,an electronic, optical, magnetic, or other storage or transmissiondevice capable of providing a processor, such as the processor incommunication with a touch-sensitive input device, withcomputer-readable instructions. Other examples of suitable mediainclude, but are not limited to, a floppy disk, CD-ROM, magnetic disk,memory chip, ROM, RAM, an ASIC, a configured processor, all opticalmedia, all magnetic tape or other magnetic media, or any other mediumfrom which a computer processor can read instructions. Also, variousother forms of computer-readable media may transmit or carryinstructions to a computer, including a router, private or publicnetwork, or other transmission device or channel, both wired andwireless. The instructions may comprise code from anycomputer-programming language, including, for example, C, C#, C++,Visual Basic, Java, and JavaScript.

FIG. 2 is a block diagram illustrating a flow of information and actionsin one embodiment of the present invention. The embodiment showncomprises an Agent component 202. The Agent component 202 is the part ofthe system that is deployed within each monitored machine. It mayperform three major functions. First, it may be responsible forgathering data. The Agent component 202 may perform an extensive scan ofthe client machine 116 a,b at scheduled intervals, in response to acommand from the Analytic component 110, or in response to events ofinterest detected by the Agent component 202. This scan may include adetailed examination of all system files, designated application files,the registry, performance counters, hardware configuration, logs,running tasks, services, network connections, and other relevant data.The results of each scan are compressed and transmitted over network 106in the form of a “snapshot” to the Collector component 108.

In one embodiment, the Agent component 202 reads every byte of files tobe examined and creates a digital signature or hash for each file. Thedigital signature identifies the exact contents of each file rather thansimply providing metadata, such as the size and the creation date. Someconventional viruses change the file header information in an attempt tofool systems that rely on metadata for detection. Such an embodiment isable to successfully detect such viruses.

The scan of the client by the Agent component 202 may be resourceintensive. In one embodiment, a full scan is performed periodically,e.g., daily, during a time when the user is not using the clientmachine. In another embodiment, the Agent component 202 performs adelta-scan of the client machine, logging only the changes from the lastscan. In another embodiment, scans by the Agent component 202 areexecuted on demand, providing a valuable tool for a technician orsupport person attempting to remedy an anomaly on the client machine.

The second major function performed by the agent 202 is that of behaviorblocking. The agent 202 constantly (or substantially constantly)monitors access to key system resources such as system files and theregistry. It is able to selectively block access to these resources inreal time to prevent damage from malicious software. While behaviormonitoring occurs on an ongoing basis, behavior blocking is enabled aspart of a repair action. For example, if the Analytic component 110suspects the presence of a virus, it can download a repair action tocause the client to block the virus from accessing key informationresources within the managed system. The client component 202 providesinformation from the monitoring process as part of the snapshot.

The third major function performed by the Agent component 202 is toprovide an execution environment for response agents. Response agentsare mobile software components that implement automated procedures toaddress various types of trouble conditions. For example, if theAnalytic component 110 suspects the presence of a virus, it can downloada response agent to cause the Agent component 202 to remove thesuspicious assets from the managed system. The Agent component 202 mayrun as a service or other background process on the computer beingmonitored. Because of the scope and granularity of information providedby an embodiment of the present invention, repair can be performed moreaccurately than with conventional systems. Although described in termsof a client, the managed population 114 may comprise PC's workstations,servers, or any other type of computer.

The embodiment shown also includes an adaptive reference model component206. One difficult technical challenge in building an automated supportproduct is the creation of a reference model that can be used todistinguish between normal and abnormal system states. The system stateof a modem computer is determined by many multi-valued variables andconsequently there are virtually a near-infinite number of normal andabnormal states. To make matters worse these variables change frequentlyas new software updates are deployed and as end users communicate. Theadaptive reference model 206 in the embodiment shown analyzes thesnapshots from many computers and identifies statistically significantpatterns using a generic data mining algorithm or a proprietary datamining algorithm designed specifically for this purpose. The resultingrule set is extremely rich (hundreds of thousands of rules) and iscustomized to the unique characteristics of the managed population. Inthe embodiment shown, the process of building a new reference model iscompletely automatic and can be executed periodically to allow the modelto adapt to desirable changes such as the planned deployment of asoftware update.

Since the adaptive reference model 206 is used for the analysis ofstatistically significant patterns from a population of machines, in oneembodiment, a minimum number of machines are analyzed to ensure theaccuracy of the statistical measures. In one embodiment, a minimumpopulation of approximately 50 machines is tested to achievesystemically relevant patterns for analysis of the machines. Once areference is established, samples can be used to determine if anythingabnormal is occurring within the entire population or any member of thepopulation.

In another embodiment, the Analytic component 110 calculates a set ofmaturity metrics that enable the user to determine when a sufficientnumber of samples have been accumulated to provide accurate analysis.These maturity metrics indicate the percentage of availablerelationships at each level of the model that have met predefinedcriteria corresponding to various levels of confidence (e.g. High,Medium, and Low). In one such embodiment, the user monitors the metricsand ensures that enough snapshots have been assimilated to create amature model. In another such embodiment, the Analytic component 110assimilates samples until it reaches a predefined maturity goal set bythe user. In either such embodiment, it is not necessary to assimilate acertain number of samples (e.g. 50).

The embodiment shown in FIG. 2 also comprises a Policy Templatecomponent 208. The Policy Template component 208 allows the serviceprovider to manually insert rules in the form of “policies” into theadaptive reference model. Policies are combinations of attributes(files, registry keys, etc.) and values that when applied to a model,override a portion of the statistically generated information in themodel. This mechanism can be used to automate a variety of commonmaintenance activities such as verifying compliance to security policiesand checking to ensure that the appropriate software updates have beeninstalled.

When something goes wrong with a computer, it often impacts a number ofdifferent information assets (files, registry keys, etc.). For example,a “Trojan” might install malicious files, add certain registry keys toensure that those files are executed, and open ports for communication.The embodiment shown in FIG. 2 detects these undesirable changes asanomalies by comparing the snapshot from the infected machine with thenorm embodied in the adaptive reference model. An anomaly is defined asan unexpectedly present asset, an unexpectedly absent asset, or an assetthat has an unknown value. Anomalies are matched against a library ofRecognition Filters 216. A Recognition Filter 216 comprises a particularpattern of anomalies that indicates the presence of a particular rootcause condition or a generic class of conditions. Recognition Filters216 also associate conditions with a severity indication, a textualdescription, and a link to a response agent. In another embodiment, aRecognition Filter 216 can be used to identify and interpret benignanomalies. For example, if a user adds a new application that theadministrator is confident will not cause any problems, the systemaccording to the present invention will still report the new applicationas a set of anomalies. If the application is new, then reporting theassets that it adds as anomalies is correct. However, the administratorcan use a Recognition Filter 216 to interpret the anomalies produced byadding the application as benign.

In an embodiment of the present invention, certain attributes relate tocontinuous processes. For example, the performance data are comprised ofvarious counters. These counters measure the occurrence of variousevents over a particular time period. To determine if the value of sucha counter is normal across a population, one embodiment of the presentinvention computes a mean and standard deviation. An anomaly is declaredif the value of the counter falls more than a certain number of standarddeviations away from the mean.

In another embodiment, a mechanism handles the case in which theadaptive reference model 206 assimilates a snapshot containing ananomaly. Once a model achieves the desired maturity level it undergoes aprocess that removes anomalies that may have been assimilated. Theseanomalies are visible in a mature model as isolated exceptions to strongrelationships. For example, if file A appears in conjunction with file Bin 999 machines but in 1 machine file A is present but file B ismissing, the process will assume that the later relationship isanomalous and it will be removed from the model. When the model issubsequently used for checking, any machine containing file A, but notfile B, will be flagged as anomalous.

The embodiment of the invention shown in FIG. 2 also includes a responseagent library 212. The response agent library 212 allows the serviceprovider to author and store automated responses for specific troubleconditions. These automated responses are constructed from a collectionof scripts that can be dispatched to a managed machine to performactions like replacing a file or changing a registry value. Once atrouble condition has been analyzed and a response agent has beendefined, any subsequent occurrence of the same trouble condition shouldbe corrected automatically.

FIG. 3 is a flow chart illustrating an overall process of anomalydetection in one embodiment of the present invention. In the embodimentshown, the Agent component (202) performs a snapshot on a periodicbasis, e.g., once per day 302. This snapshot involves collecting amassive amount of data and can take anywhere from a few minutes to hoursto execute, depending on the configuration of the client. When the scanis complete the results are compressed, formatted, and transmitted inthe form of a snapshot to a secure server known as the Collectorcomponent 304. The Collector component acts as a central repository forall of the snapshots being submitted from the managed population. Eachsnapshot is then decompressed, parsed, and stored in various tables inthe database by the Collector component.

The detection function (218) uses the data stored in the adaptivereference model component (206) to check the contents of the snapshotagainst hundreds of thousands of statistically relevant relationshipsthat are known to be normal for that managed population 308. If noanomaly is found 310, the process ends 324.

If an anomaly is found 310, the Recognition Filters (210) are consultedto determine if the anomaly matches any known conditions 312. If theanswer is yes, then the anomaly is reported according to the conditionthat has been diagnosed 314. Otherwise, the anomaly is reported as anunrecognized anomaly 316. The Recognition Filter (216) also indicateswhether or not an automated response has been authorized for thatparticular type of condition 318.

In one embodiment, the Recognition Filters (216) can recognize andconsolidate multiple anomalies. The process of matching RecognitionFilters to anomalies is performed after the entire snapshot has beenanalyzed and all anomalies associated with that snapshot have beendetected. If a match is found between a subset of anomalies and aRecognition Filter, the name of the Recognition Filter will beassociated with the subset of anomalies in the output stream. Forexample, the presence of a virus might generate a set of file anomalies,process anomalies, and registry anomalies. A Recognition Filter could beused to consolidate these anomalies so that the user would simply see adescriptive name relating all the anomalies to a likely common cause,i.e. a virus.

If automated response has been authorized, then the response agentlibrary (212) downloads the appropriate response agents to the affectedmachine 320. The Agent component 202 in the affected machine thenexecutes the sequence of scripts needed to correct the trouble condition322. The process shown then ends 324.

Embodiments of the present invention substantially reduce the cost ofmaintaining a population of personal computers and servers. Oneembodiment accomplishes this objective by automatically detecting andcorrecting trouble conditions before they escalate to the help desk andby providing diagnostic information to shorten the time required for asupport analyst to resolve any problems not addressed automatically.

Anything that reduces the frequency at which incidents occur has asignificant positive impact on the cost of computer support. Oneembodiment of the present invention monitors and adjusts the state of amanaged machine so that it is more resistant to threats. Using PolicyTemplates, service providers can routinely monitor the security postureof every managed system, automatically adjusting security settings andinstalling software updates to eliminate known vulnerabilities.

In a human-based support model, trouble conditions are detected by endusers, reported to a help desk, and diagnosed by human experts. Thisprocess accrues costs in a number of ways. First, there is costassociated with lost productivity while the end user waits forresolution. Also, there is the cost of data collection, usuallyperformed by help desk personnel. Additionally, there is the cost ofdiagnosis, which requires the services of a trained (expensive) supportanalyst. In contrast, a machine-based support model implementedaccording to the present invention senses, reports, and diagnoses manysoftware related trouble conditions automatically. The adaptivereference model technology enables detection of anomalous conditions inthe presence of extreme diversity and change with a sensitivity andaccuracy not previously possible.

In one embodiment of the present invention, to prevent false positives,the system can be configured to operate at various confidence levels,and anomalies that are known to be benign can be filtered out usingRecognition Filters. Recognition Filters can also be used to alert theservice provider to the presence of specific types of undesirable ormalicious software.

In conventional systems, computer incidents are usually resolved byhumans through the application of a series of trial and error repairactions. These repair actions tend to be of the “sledge hammer” variety,i.e. solutions that affect far more than the trouble conditions theywere intended to correct. Multiple choice repair procedures andsledgehammer solutions are a consequence of an inadequate understandingof the problem and a source of unnecessary cost. Because a systemaccording to the present invention has the data to fully characterizethe problem, it can reduce the cost of repair in two ways. First, it canautomatically resolve the incident if a Recognition Filter has beendefined that specifies the required automated response. Second, ifautomatic repair is not possible, the system's diagnostic capabilitieseliminate the guesswork inherent in the human-based repair process,reducing execution time and allowing greater precision.

FIG. 4 is a block diagram illustrating components of an adaptivereference model in one embodiment of the present invention. FIG. 4 ismerely exemplary.

The embodiment shown in FIG. 4 illustrates a multi-layer, single-siloadaptive reference model 402. In the embodiment shown, the silo 404comprises three layers: the value layer 406, the cluster layer 408, andthe profile layer 410.

The value layer 406 tracks the values of asset/value pairs provided bythe Agent component (202) described herein across the managed population(114) of FIG. 1. When a snapshot is compared to the adaptive referencemodel 402, the value layer 406 of the adaptive reference model 402evaluates the value portion of each asset/value pair contained therein.This evaluation consists of determining whether any asset value in thesnapshot violates a statistically significant pattern of asset valueswithin the managed population as represented by the adaptive referencemodel 402.

For example, an Agent (116 b) transfers a snapshot that includes adigital signature for a particular system file. During the assimilationprocess (when the adaptive reference model is being constructed) themodel records the values that it encounters for each asset name and thenumber of times that that value is encountered. Thus, for every assetname, the model knows the “legal” values that it has seen in thepopulation. When the model is used for checking, the value layer 406determines if the value of each attribute in the snapshot matches one ofthe “legal” values in the model. For example, in the case of a file, anumber of “legal” values are possible because various versions of thefile might exist in the managed population. An anomaly would be declaredif the model contained one or more file values that were statisticallyconsistent and the snapshot contained a file value that did not matchany of the file values in the model. The model can also detectsituations where there is no “legal” value for an attribute. Forexample, log files don't have a legal value since they changefrequently. If no “legal” value exists, then the attribute value in thesnapshot will be ignored during checking.

In one embodiment, adaptive reference model 402 implements criteria toensure than an anomaly is truly an anomaly and not just a new filevariant. The criteria may include a confidence level. Confidence levelsdo not stop a unique file from being reported as an anomaly. Confidencelevels constrain the relationships used in the model during the checkingprocess to those relationships that meet certain criteria. The criteriaassociated with each level are designed to achieve a certain statisticalprobability. For example, in one embodiment, the criteria for the highconfidence level are designed to achieve a statistical probability ofgreater than 90%. If a lower confidence level is specified, thenadditional relationships that are not as statistically reliable areincluded in the checking process. The process of considering viable, butless likely, relationships is similar to the human process ofspeculating when we need to make a decision without all the informationthat would allow us to be certain. In a continuously changingenvironment, the administrator may wish to filter out the anomaliesassociated with low confidence levels, i.e., the administrator may wishto eliminate as many false positives as possible.

In an embodiment that implements the confidence level, if a user reportsthat something is wrong with a machine, but the administrator is unableto see any anomalies at the default confidence level, the administratorcan lower the confidence level, enabling the analysis process toconsider relationships that have lower statistical significance and areignored at higher confidence levels. By reducing the confidence level,the administrator allows the adaptive reference model 402 to includepatterns that may not have enough samples to be statisticallysignificant but might provide clues as to what the problem is. In otherwords, the administrator is allowing the machine to speculate.

In another embodiment, the value layer 406 automatically eliminatesasset values from the adaptive reference model 402 if, afterassimilating a specified number of snapshots, the asset values havefailed to exhibit any stable pattern. For example, many applicationsgenerate log files. The values of log files constantly change and arerarely the same from machine to machine. In one embodiment, these filevalues are evaluated initially and then after a specified number ofevaluations, they are eliminated from the adaptive reference model 402.By eliminating these types of file values from the model 402, the systemeliminates unnecessary comparisons during the detection process 218 andreduces database storage requirements by pruning out low valueinformation.

An embodiment of the present invention is not limited to eliminatingasset values from the adaptive reference model 402. In one embodiment,the process also applies to the asset names. Certain asset names are“unique by nature”, that is they are unique to a particular machine butthey are a by-product of normal operation. In one embodiment, a separateprocess handles unstable asset names. This process in such an embodimentidentifies asset names that are unique by nature and allows them to stayin the model so that they are not reported as anomalies.

The second layer shown in FIG. 4 is the cluster layer 408. The clusterlayer 408 tracks relationships between asset names. An asset name canapply to a variety of entities including a file name, a registry keyname, a port number, a process name, a service name, a performancecounter name, or a hardware characteristic. When a particular set ofasset names is generally present in tandem on the machines in a managedpopulation (114), the cluster layer 408 is able to flag an anomaly whena member of the set of asset names is absent.

For example, many applications on a computer executing a MicrosoftWindows operating system require a multitude of dynamic link libraries(DLL). Each DLL will often depend on one or more other DLLYs. If thefirst DLL is present, then the other DLLYs must be present as well. Thecluster layer 408 tracks this dependency and if one of the DLL's ismissing or altered, the cluster layer 408 alerts the administrator thatan anomaly has occurred.

The third layer in the adaptive reference model 402 shown in FIG. 4 isthe profile layer 410. The profile layer 410 in the embodiment showndetects anomalies based on violations of cluster relationships. Thereare two types of relationships, associative (the clusters appeartogether) and exclusionary (the clusters never appear together). Theprofile layer 410 allows the adaptive reference model to detect missingassets not detected by the cluster layer as well as conflicts betweenassets. The profile layer 410 determines which clusters have strongassociative and exclusionary relationships with one another. In such anembodiment, if a particular cluster is not detected in a snapshot whereit would normally be expected by virtue of the presence of otherclusters with which it has strong associative relationships, then theprofile layer 410 detects the absence of that cluster as an anomaly.Likewise, if a cluster is detected in a snapshot where it would notnormally be expected because of the presence of other clusters withwhich it has strong exclusionary relationships, then the profile layer410 detects the presence of the first cluster as an anomaly. The profilelayer 410 allows the adaptive reference model 402 to detect anomaliesthat would not be detectable at the lower levels of the silo 404.

The adaptive reference model 402 shown in FIG. 4 may be implemented invarious ways that are well known to those skilled in the art. Byoptimizing the processing of the adaptive reference model 402 and byproviding sufficient processing and storage resources, an embodiment ofthe present invention is able to support an unlimited number of managedpopulations and individual clients. Both the assimilation of a new modeland the use of the model in checking involve the comparison of hundredsof thousands of attribute names and values. Performing these comparisonsusing the text strings for the names and values is a very demandingprocessing task. In one embodiment of the present invention, everyunique string in an incoming snapshot is assigned an integer identifier.The comparisons are then performed using the integer identifiers ratherthan the strings. Because computers can compare integers much fasterthan the long strings associated with file names or registry key names,processing efficiency is greatly enhanced.

The adaptive reference model 402 relies on data from the Agent component(202). The functionality of the Agent component (202) is describedabove, which is a functional summary of the user interface and the Agentcomponent (202) in one embodiment of the present invention.

An embodiment of the present invention is able to compare registryentries across the client machines in a managed population. Onedifficulty in comparing registry keys across different machines runninga Microsoft Windows operating system derives from the use of a GlobalUnique Identifier (“GUID”). A GUID for a particular item on one machinemay differ from the GUID for the same item on a second machine.Accordingly, an embodiment of the present system provides a mechanismfor normalizing the GUID's for comparison purposes.

FIG. 5 is a flow chart illustrating a process of normalizing registryinformation on a client in one embodiment of the present invention. Inthe embodiment shown, the GUID's are first grouped into two groups 502.The first group is for GUID's that are non-unique (duplicated) acrossmachines in the managed population. The second group includes GUID'sthat are unique across machines, i.e., the same key has a different GUIDon different machines within the managed population. The keys for thesecond group are next sorted 504. In this way, the relationship amongtwo or more keys within the same machine can be identified. The intentis to normalize such relationships in a way that will allow them to becompared across multiple machines.

The embodiment shown next creates a hash for the values in the keys 506.This creates a unique signature for all the names, pathnames, and othervalues contained in the key. The hash is then substituted for the GUID508. In this manner, uniqueness is maintained within the machine, butthe same hash appears in every machine so that the relationship can beidentified. The relationship allows the adaptive reference model toidentify anomalies within the managed population.

For example, conventional viruses often change registry keys so that theinfected machine will run the executable that spreads the virus. Anembodiment of the present invention is capable of identifying thechanges to the registry in one or more machines of the population due toits ability to normalize registry keys.

FIG. 6 is a flow chart illustrating a method for identifying andresponding to an anomaly in one embodiment of the present invention. Inthe embodiment shown, a processor, such as the Collector component(108), receives a plurality of snapshots from a plurality of computers602. Although the following discussion describes the process shown inFIG. 6 as being performed by the Analytic component (110), any suitableprocessor may perform the process shown. The plurality of snapshots maycomprise as few as two snapshots from two computers. Alternatively, theplurality of snapshots may comprise thousands of snapshots. Thesnapshots comprise data about computers in a population to be examined.For example, the plurality of snapshots may be received from each of thecomputers in communication with an organization's local area network.Each snapshot comprises a collection of asset/value pairs that representthe state of a computer at a particular point in time.

As the Collector component (108) receives the snapshots, it stores them604. Storing the snapshots may comprise storing them in a data store,such as in database (112) or in memory (not shown). The snapshots may bestored temporarily or permanently. Also, in one embodiment of thepresent invention, the entire snapshot is stored in a data store. Inanother embodiment, only the portions of the snapshot that have changedfrom a prior version are stored (i.e., a delta snapshot).

The Analytic component (110) utilizes the data in the plurality ofsnapshots to create an adaptive reference model 606. Each of thesnapshots comprises a plurality of assets, which comprise a plurality ofpairs of asset names and asset values. An asset is an attribute of acomputer, such as a file name, a registry key name, a performanceparameter, or a communication port. The assets reflect a state of acomputer, actual or virtual, within the population of computersanalyzed. An asset value is the state of an asset at a particular pointin time. For example, for a file, the value may comprise an MD5 hashthat represents the contents of the file; for a registry key, the valuemay comprise a text string that represents the data assigned to the key.

The adaptive reference model also comprises a plurality of assets. Theassets of the adaptive reference model may be compared to the assets ofa snapshot to identify anomalies and for other purposes. In oneembodiment, the adaptive reference model comprises a collection of dataabout various relationships between assets that characterize one or morenormal computers at a particular point in time.

In one embodiment, the Analytic component (110) identifies a cluster ofasset names. A cluster comprises one or more non-overlapping groups ofasset names that appear together. The Analytic component (110) may alsoattempt to identify relationships among the clusters. For example, theAnalytic component (110) may compute a matrix of probabilities thatpredict, given the existence of a particular cluster in a snapshot, thelikelihood of the existence of any other cluster in the snapshot.Probabilities that are based on a large number of snapshots and areeither very high (e.g. greater than 95%) or very low (e.g. less than 5%)can be used by the model to detect anomalies. Probabilities that arebased on a small number of snapshots, (i.e. a number that is notstatistically significant) or that are neither very high nor very loware not used to detect anomalies.

The adaptive reference model may comprise a confidence criterion fordetermining when a relationship can be used to test a snapshot. Forexample, the confidence criterion may comprise a minimum threshold for anumber of snapshots contained in the adaptive reference model. If thethreshold is not exceeded, the relationship will not be used. Theadaptive reference may also or instead comprise a minimum threshold fora number of snapshots contained in the adaptive reference model thatinclude the relationship, utilizing the relationship only if thethreshold is exceeded. In one embodiment, the adaptive reference modelcomprises a maximum threshold for a ratio of the number of differentasset values to the number of snapshots containing the asset values. Theadaptive reference model may comprise one or more minimum and maximumthresholds associated with numeric asset values.

Each of the plurality of assets in the adaptive reference model or in asnapshot may be associated with an asset type. The asset type maycomprise, for example, a file, a registry key, a performance measure, aservice, a hardware component, a running process, a log, and acommunication port. Other asset types may also be utilized byembodiments of the present invention. In order to conserve space, theasset names and asset values may be compressed. For instance, in oneembodiment of the present invention, the Collector component (108)identifies the first occurrence of an asset name or asset value in oneof the plurality of snapshots and generates an identifier associatedwith that first occurrence. Subsequently, if the Collector component(108) identifies a second occurrence of the asset name or asset value,the Collector component (108) associates the identifier with the secondasset name and asset value. The identifier and asset name or asset valuecan then be stored in an index, while only the identifier is stored withthe data in the adaptive reference model or snapshot. In this way, spacenecessitated to store frequently repeated asset names or values isminimized.

The adaptive reference model may be automatically generated. In oneembodiment, the adaptive reference model is generated automatically andthen manually revised to account for knowledge of technical supportpersonnel or others. FIG. 11 is a screen shot of a user interface forcreating an adaptive reference model in one embodiment of the presentinvention. In the embodiment shown, a user selects the snapshots to beincluded in the model by moving them from the Machine Selection Menuwindow 1102 to the Machines in Task window 1104. When the user completesthe selection process and clicks the Finish button 1106 an automatedtask is created that causes the model to be generated. Once the modelhas been created, the user can use another interface screen to manageit. FIG. 12 is a screen shot of a user interface for managing anadaptive reference model in one embodiment of the present invention.

Referring again to FIG. 6, once the adaptive reference model has beencreated, the Analytic component (110) compares at least one of theplurality of snapshots to the adaptive reference model 608. For example,the Collector component (108) may receive and store in the Databasecomponent (112) one hundred snapshots. The Analytic component (110) usesthe one hundred snapshots to create an adaptive reference model. TheAnalytic component (110) then begins comparing each of the snapshots inthe plurality of snapshots to the adaptive reference model. At some timelater the Collector component (108) may receive 100 new snapshots fromthe Agent components, which can then be used by the Analytic componentto generate a revised version of the adaptive reference model and toidentify anomalies.

In one embodiment of the present invention, the comparison of one ormore snapshots to an adaptive reference model comprises examiningrelationships among asset names. For instance, the probability ofexistence for a first asset name may be high when a second asset name ispresent. In one embodiment, the comparison comprises determining whetherall of the asset names in a snapshot exist within the adaptive referencemodel and are consistent with a plurality of high probabilityrelationships among asset names.

Referring still to FIG. 6, in one embodiment, the Analytic component(110) compares the snapshot to the adaptive reference model in order toidentify any anomalies that may be present on a computer 610. An anomalyis an indication that some portion of a snapshot deviates from normal asdefined by the adaptive reference model. For example, an asset name orvalue may deviate from the normal asset name and asset value expected inparticular situation as defined by an adaptive reference model. Theanomaly may or may not signal that a known or new trouble or problemcondition exists on or in relation to the computer with which thesnapshot is associated. A condition is a group of anomalies that arerelated. For example, a group of anomalies may be related because theyarise from a single root cause. For example, an anomaly may indicate thepresence of a particular application on a computer when that applicationis not generally present on the other computers within a givenpopulation. Recognition of anomalies may also be used for functions suchas capacity balancing. For instance, by evaluating performance measuresof several servers, the Analytic component (110) is able to determinewhen to trigger the automatic deployment and configuration of a newserver to address changing demands.

A condition comprises a group of related anomalies. For example, a groupof anomalies may be related because they arise from a single root cause,such as installation of an application program or the presence of a“worm.” A condition may comprise a condition class. The condition classallows various conditions to be grouped with one another.

In the embodiment shown in FIG. 6, if an anomaly is found, the Analyticcomponent (110) attempts to match the anomaly to a recognition filter inorder to diagnose a condition 612. The anomaly may be identified as abenign anomaly in order to eliminate noise during analysis, i.e., inorder to avoid obscuring real trouble conditions because of the presenceof anomalies that are the result of normal operating processes. A checkis a comparison of a snapshot to an adaptive reference model. A checkmay be automatically performed. The output of a check may comprise a setof anomalies and conditions that have been detected. In one embodiment,the anomaly is matched to a plurality of recognition filters. Arecognition filter comprises a signature of a condition or of a class ofconditions. For example a recognition filter may comprise a collectionof pairs of asset names and values that, when taken together, representthe signature of a condition that is desirable to recognize, such as thepresence of a worm. A generic recognition filter may provide a templatefor creating more specific filters. For example, a recognition filterthat is adapted to search for worms in general may be adapted to searchfor a specific worm.

In one embodiment of the present invention, a recognition filtercomprises at least one of: an asset name associated with the condition,an asset value associated with the condition, a combination of assetname and asset value associated with the condition, a maximum thresholdassociated with an asset value and with the condition, and a minimumthreshold associated with an asset value and with the condition. Assetname/value pairs from a snapshot may be compared to the name/value pairsfrom the recognition filter to find a match and diagnose a condition.The name/value matching may be exact or the recognition filter maycomprise a wildcard, allowing a partial value to be entered in therecognition filter and then matched with the snapshot. A particularasset name and/or value may be matched to a plurality of recognitionfilters in order to diagnose a condition.

A recognition filter may be created in various ways. For example, in oneembodiment of the present invention, a user copies the anomalies from amachine where the condition of interest is present. The anomalies may bepresented in an anomaly summary from which they can be selected andcopied to the filter. In another embodiment, a user enters a wildcardcharacter in a filter definition. For example, one piece of spywarecalled Gator generates thousands of registry keys that start with thestring “hklm\software\gator\”. An embodiment of the present inventionmay provide a wildcard mechanism to efficiently deal with thissituation. The wildcard character may be, for example, the percent sign(%), and may be used before a text string, after a text string, or inthe middle of a text string. Continuing the Gator example, if the userenters the string “hklm\software\gator\%” in the filter body, then anykey starting with “hklm\software\gator” will be recognized by thefilter. The user may wish to construct a filter for a condition that hasnot yet been experienced in the managed population. For example, afilter for a virus based on publicly available information on theInternet rather than an actual instance of the virus within the managedpopulation. To address this situation the user enters the relevantinformation directly into a filter.

FIG. 13 is a screen shot of a user interface for selecting a snapshot touse for creation of a recognition filter in one embodiment of thepresent invention. A user accesses the screen shot shown to selectsnapshots to be used to create the recognition filter. FIG. 14 is ascreen shot of a user interface for creating or editing a recognitionfilter in one embodiment of the present invention. In the embodimentshown, assets from the snapshot selected in the interface illustrated inFIG. 13 are displayed in the Data Source window 1402. The user selectsthese assets and copies them to the Source window 1404 to create therecognition filter.

In one embodiment, the match between a recognition filter and a set ofanomalies is associated with a quality measure. For example, an exactmatch of all of the asset names and asset values in the recognitionfilter with asset names and asset values in the set of anomalies may beassociated with a higher quality measure than a match of a subset of theasset names and asset values in the recognition filter with asset namesand asset values in the set of anomalies.

The recognition filter may comprise other attributes as well. Forexample, in one embodiment, the recognition filter comprises a controlflag for determining whether to include the asset name and the assetvalue in the adaptive reference model. In another embodiment, therecognition filter comprises one or more textual descriptions associatedwith one or more conditions. In yet another embodiment, the recognitionfilter comprises a severity indicator that indicates the severity of acondition in terms of, for example, how much damage it may cause, howdifficult it may be to remove, or some other suitable measure.

The recognition filter may comprise fields that are administrative innature. For example, in one embodiment, the recognition filter comprisesa recognition filter identifier, a creator name, and an updatedate-time.

Still referring to FIG. 6, the Analytic component (110) next responds tothe condition 614. Responding to the condition may comprise, forexample, generating a notification, such as an email to a supporttechnician, submitting a trouble ticket to a problem management system,requesting permission to take an action, for instance, asking forconfirmation from a support technician to install a patch, and removingthe condition from at least one of the plurality of computers. Removingthe condition may comprise, for example, causing a response agent to beexecuted in any of the plurality of computers affected by the condition.The condition may be associated with an automatic response. The steps ofdiagnosing 612 and responding to conditions 614 may be repeated for eachcondition. Also, the process of finding anomalies 610 may be repeatedfor each individual snapshot.

In the embodiment shown in FIG. 6, the Analytic component (110) nextdetermines whether additional snapshots are to be analyzed 616. If so,the steps of comparing the snapshot to the adaptive reference model 608,finding anomalies 610, matching the anomalies to a recognition filter todiagnose a condition 612, and responding to the condition 614 arerepeated for each snapshot. Once all of the snapshots have beenanalyzed, the process ends 618.

In one embodiment of the present invention, once the Analytic component(110) has identified a condition, the Analytic component (110) attemptsto determine which of the plurality of computers within a population areaffected by the condition. For example, the Analytic component (110) mayexamine the snapshots to identify a particular set of anomalies. TheAnalytic component (110) may then cause a response to the condition tobe executed on behalf of each of the affected computers. For example, inone embodiment, an Agent component (202) resides on each of theplurality of computers. The Agent component (202) generates the snapshotthat is evaluated by the Analytic component (110). In one suchembodiment, the Analytic component (110) utilizes the Agent component(202) to execute a response program if the Analytic component (110)identifies a condition on one of the computers. In diagnosing acondition, the Analytic component (110) may or may not be able toidentify a root cause of a condition.

FIG. 7 is a flow chart illustrating a process for identifying certaintypes of anomalies in one embodiment of the present invention. In theembodiment shown, the Analytic component (110) evaluates snapshots for aplurality of computers 702. These snapshots can be base snapshots thatcomprise the complete state of the computer or delta snapshots thatcomprise the changes in the state of the computer since the last basesnapshot. The Analytic component (110) uses the snapshots to create anadaptive reference model 704. Note that when using delta snapshots forthis purpose, the Analytic component must first reconstitute theequivalent of a base snapshot by applying the changes described in thedelta snapshot to the most recent base snapshot. The Analytic component(110) subsequently receives a second snapshot (base or delta) for atleast one of the plurality of computers 706. The snapshot may be createdbased on various events, such as the passage of a predetermined amountof time, the installation of a new program, or some other suitableevent.

The Analytic component (110) compares the second snapshot to theadaptive reference model to attempt and detect anomalies. Various typesof anomalies may exist on a computer. In the embodiment shown, theAnalytic component (110) first attempts to identify asset names that areunexpectedly absent 710. For example, all or substantially all of thecomputers within a population may include a particular file. Theexistence of the file is noted in the adaptive reference model by thepresence of an asset name. If the file is unexpectedly absent from oneof the computers within the population, i.e., the asset name is notfound, some condition may be affecting the computer on which the file ismissing. If the asset name is unexpectedly absent, the absence isidentified as an anomaly 712. For example, an entry identifying thecomputer, date, and unexpectedly absent asset may be entered in a datastore.

The Analytic component (110) next attempts to identify asset names thatare unexpectedly present 714. The presence of an unexpected asset name,such as a file name or registry entry, may indicate the presence of atrouble condition, such as a computer worm. An asset name isunexpectedly present if it has never been seen before or if it has neverbeen seen before in the context in which it is found. If the asset nameis unexpectedly present, the presence is identified as an anomaly 720.

The Analytic component (110) next attempts to identify an unexpectedasset value 718. For example, in one embodiment, the Analytic component(110) attempts to identify a string asset value that is unknown for theasset name associated with it. In another embodiment, the Analyticcomponent (110) compares a numerical asset to minimum or maximumthresholds associated with the corresponding asset name. In embodimentsof the present invention, the thresholds may be set automatically basedupon the mean and standard deviation for asset values within apopulation. According to the embodiment shown, if an unexpected assetvalue is detected, it is identified as an anomaly 720. The process thenends 722.

Although the process in FIG. 7 is shown as a serial process, thecomparison of a snapshot to the adaptive reference model and theidentification of anomalies may occur in parallel. Also, each of thesteps depicted may be repeated numerous times. Further, either deltasnapshots or base snapshots can be compared to the adaptive referencemodel during each cycle.

Once an analysis has been completed, the Analytic component (110) maygenerate a result, such as an anomaly report. This report may further beprovided to a user. For instance, the Analytic component (110) maygenerate a web page comprising the results of a comparison of a snapshotwith an adaptive reference model. Embodiments of the present inventionmay provide a means for performing automated security audits, file andregistry integrity checking, anomaly-based virus detection, andautomated repair.

FIG. 8 is a flow chart illustrating a process for generating an adaptivereference model in one embodiment of the present invention. In theembodiment shown, the Analytic component (110) accesses a plurality ofsnapshots from a plurality of computers via the Database component. Eachof the snapshots comprises a plurality of pairs of asset names and assetvalues. The Analytic component (110) automatically creates an adaptivereference model that is based, at least in part, on the snapshots.

The adaptive reference model may comprise any of a number of attributes,relationships, and measures of the various asset names and values. Inthe embodiment shown in FIG. 8, the Analytic component (110) first findsone or more unique asset names and then determines the number of timeseach unique asset name occurs within the plurality of snapshots 804. Forexample, a file for a basic operating system driver may occur onsubstantially all the computers within a population. The file name is aunique asset name; it will appear only once within a snapshot but willlikely occur in substantially all of the snapshots.

In the embodiment shown, the Analytic component (110) next determinesthe unique asset values associated with each asset name 806. Forexample, the file name asset for the driver described in relation tostep 804 will likely have the same value for every occurrence of thefile name asset. In contrast, the file value for a log file will likelyhave as many different values as occurrences, i.e., a log file on anyparticular computer will contain a different number of entries fromevery other computer in a population.

Since the population may be very large, in the embodiment shown in FIG.8, if the number of unique values associated with an asset name exceedsa threshold 808, the determination is halted 810. In other words, in theexample of the log file described above, whether or not the computer isin a normal state does not depend on a log file having a consistentvalue. The log file contents are expected to vary on each computer. Notehowever that the presence or absence of the log file may be stored inthe adaptive reference model as an indication of normalcy or of ananomaly.

In the embodiment shown in FIG. 8, the Analytic component (110) nextdetermines the unique string asset values associated with each assetname 812. For example, in one embodiment, there are only two types ofasset values, strings and numbers. File hashes and registry key valuesare examples of strings; a performance counter value is an example of anumber.

The Analytic component (110) next determines a statistical measureassociated with unique numerical values associated with an asset name814. For example, in one embodiment, the Analytic component (110)captures a performance measure, such as memory paging. If one computerin a population often pages memory, it may be an indication that a rogueprogram is executing in the background and requiring substantial memoryresources. However, if every or a sizeable number of computers in apopulation often page memory, it may indicate that the computers aregenerally lacking in memory resources. In one embodiment, the Analyticcomponent (110) determines a mean and a standard deviation for numericalvalues associated with a unique asset name. In the memory example, ifthe measure of memory paging for one computer falls far outside thestatistical mean for the population, an anomaly may be identified.

In one embodiment of the present invention, the adaptive reference modelmay be modified by applying a policy template. A policy template is acollection of asset/value pairs that are identified and applied to anadaptive reference model to establish a norm that reflects a specificpolicy. For example, the policy template may comprise a plurality ofpairs of asset names and asset values that is expected to be present ina normal computer. In one embodiment, applying the policy templatecomprises modifying the adaptive reference model so that the pairs ofasset names and asset values present in the policy template appear tohave been present in each of the plurality of snapshots, i.e., appear tobe the normal state of a computer in the population.

FIG. 15 is a screen shot illustrating a user interface for selecting a“golden system” for use in a policy template in one embodiment of thepresent invention. As described above, the user first selects the goldensystem on which the policy template is to be based. FIG. 16 is a screenshot of a user interface for selecting policy template assets in oneembodiment of the present invention. As with the user interface forcreating recognition filters. The user selects assets from a Data Sourcewindow 1602 and copies them to a contents window, the Template contentswindow 1604.

FIG. 9 is a flow chart, illustrating a process for proactive anomalydetection in one embodiment of the present invention. In the embodimentshown, when analysis occurs, the Analytic component (110) establishes aconnection to the database (112) that stores snapshots to be analyzed902. In the embodiment shown, only one database is utilized. However, inother embodiments, data from multiple databases may be analyzed.

Before diagnostic checks are executed, one or more reference models arecreated 904. Reference models are updated periodically, e.g., once perweek, to ensure that the information that they contain remains current.One embodiment of the present invention provides a task scheduler thatallows model creation to be configured as a completely automatedprocedure.

Once a reference model has been created it can be processed in variousways to enable different types of analysis. For example, it is possibleto define a policy template 906 as described above. For example, apolicy template may require that all machines in a managed populationhave anti-virus software installed and operational. Once a policytemplate has been applied to a model, diagnostic checks against thatmodel will include a test for policy compliance. Policy templates can beused in a variety of applications including automated security audits,performance threshold checking, and Windows update management. A policytemplate comprises the set of assets and values that will be forced intothe model as the norm. In one embodiment, the template editing processis based on a “golden system” approach. A golden system is one thatexhibits the assets and values that a user wishes to incorporate intothe template. The user locates the snapshot that corresponds to thegolden system and then selects each asset/value pair that the userwishes to include in the template.

In the process shown in FIG. 9, the policy template is then applied to amodel to modify its definition of normal 908. This allows the model tobe shaped in ways that allow it to check for compliance againstuser-defined policies as described herein.

A model may also be converted 910. The conversion process alters areference model. For example, in one embodiment, the conversion processremoves from the model any information assets that are unique, i.e. anyassets that occur in one and only one snapshot. When a check is executedagainst a converted model all unique information assets will be reportedas anomalies. This type of check is useful in surfacing previouslyunknown trouble conditions that exist at the time the Agent componentsare first installed. Converted models are useful in establishing aninitial baseline since they expose unique characteristics. For thisreason converted models are sometimes called baseline models inembodiments of the present invention.

In another embodiment, the model building process removes from the modelany information assets that match a recognition filter, ensuring thatknown trouble conditions do not get incorporated into the model. Whenthe system is first installed the managed population quite oftencontains a number of known trouble conditions that have not yet beennoticed. It is important to discover these conditions and remove themfrom the model since otherwise, they will be incorporated into theadaptive reference model as part of the normal state for a machine.

The Agent component (202) takes a snapshot of the state of each managedmachine on a scheduled basis 924. The snapshot is transmitted andentered into the database as a snapshot. Snapshots may also be generatedon demand or in response to a specific event such as applicationinstallation.

In the proactive problem management process shown, a periodic check ofthe latest snapshots against an up-to-date reference model is performed912. The output of a periodic check is a set of anomalies, which aredisplayed to a user as results 914. The results also include anyconditions that are identified as a result of matching the anomalies torecognition filters. Recognition filters may be defined as describedabove 916. The anomalies are passed through the recognition filters forinterpretation resulting in a set of conditions. Conditions can range inseverity from something as benign as a Windows update to something asserious as a Trojan.

The trouble conditions that can occur in a computer change as thehardware and software components that make up that computer evolve.Consequently, there is a continuous need to define and share newrecognition filters as new combinations of anomalies are discovered.Recognition filters can be thought of as a very detailed and structuredway to document trouble conditions and as such they represent animportant mechanism to facilitate collaboration. The embodiment showncomprises a mechanism for exporting recognition filters to an XML fileand importing recognition filters from an XML file.

Once conditions are identified, reports documenting the results of aproactive check are generated 920. The reports may comprise, forexample, a summary description of all conditions detected or a detaileddescription of a particular condition.

FIG. 10 is a flow chart, illustrating a reactive process in oneembodiment of the present invention. In the process shown in FIG. 10, itis assumed that an adaptive reference model has already been created.The process shown begins when a user calls a help desk to report aproblem 1002. In the traditional help desk paradigm the next step wouldbe to verbally collect information about the symptoms being experiencedby the user. In contrast, in the embodiment of the present inventionshown, the next step is to run a diagnostic check of the suspect machineagainst the most recent snapshot 1003. If this does not produce animmediate diagnosis of a problem condition, three possibilities mayexist: (1) the condition has occurred since the last snapshot was taken;(2) the condition is new and is not being recognized by its filters; or(3) the condition is outside the scope of analysis, e.g. a hardwareproblem.

If it is suspected that the trouble condition has occurred since thelast snapshot was taken then the user may cause the Agent component(202) on the client machine to take another snapshot 1006. Once theresulting snapshot is available, a new diagnostic check can be executed1004.

If it is suspected that the trouble condition is new, the analyst mayexecute a compare function that provides a breakdown of the changes inthe state of a machine over a specific window of time such as newapplications that may have been installed 1008. The user may also view adetailed representation of the state of a machine at various points intime 1010. If the analyst identifies a new trouble condition, the usercan identify the set of assets as a recognition filter for subsequentanalyses 1012.

While conventional products have focused on enhancing the efficiency ofthe human-based support model, embodiments of the present invention aredesigned around a different paradigm, a machine-based support model.This fundamental difference in approach manifests itself most profoundlyin the areas of data collection and analysis. Since a machine ratherthan a human will perform much of the analysis of the data collected,the data collected can be voluminous. For example, in one embodiment,the data collected from a single machine, referred to as the “healthcheck” or snapshot for the machine, includes values for hundreds ofthousands of attributes. The ability to collect a large volume of dataprovides embodiments of the present invention with a significantadvantage over conventional systems in terms of the number and varietyof conditions that can be detected.

Another embodiment of the present invention provides a powerful analyticcapability. The foundation for high value analysis in such an embodimentis the ability to accurately distinguish between normal and abnormalconditions. For example, one system according to the present inventionsynthesizes its reference model automatically by mining statisticallysignificant relationships from the snapshot data that it collects fromits clients. The resulting “adaptive” reference model defines what isnormal for that particular managed population at that particular momentin time.

One embodiment of the present invention combines the data collection andadaptive analysis features described above. In such an embodiment, thesuperior data collection capabilities combined with the analytic powerof the adaptive reference model translate into a number of significantcompetitive advantages, including the capability of providing automaticprotection against security threats by conducting daily security auditsand checking for software updates to eliminate vulnerabilities. Such anembodiment may also be capable of proactively scanning all managedsystems on a routine basis to find problems before they result in lostproductivity or calls to the help desk.

An embodiment of the present invention implementing the adaptivereference model capabilities is also able to detect previously unknowntrouble conditions. Further, such an embodiment is automaticallysynthesized and maintained, requiring little or no vendor updates to beeffective. Such an embodiment is automatically customized to aparticular managed population enabling it to detect failure modes uniqueto that population.

An additional advantage of an embodiment of the present invention isthat in the event that a trouble condition cannot be resolvedautomatically, such an embodiment can provide a massive amount ofstructured technical information to facilitate the job of the supportanalyst.

One embodiment of the present invention provides the capability ofautomatically repairing an identified problem. Such an embodiment, whencombined with the adaptive reference model of the previously describedembodiment, is uniquely capable of automated repair because of itsability to identify all aspects of a trouble condition.

Embodiments of the present invention also provide many advantages overconventional systems and methods in terms of the service levelsdescribed herein. For example, in terms of the Mass-Healing servicelevel, it is considerably less expensive to prevent an incident than itis to resolve an incident once damage has occurred. Embodiments of thepresent invention substantially increase the percentage of incidentsthat can be detected/prevented without the need for human interventionand in a manner that embraces the diverse and dynamic nature ofcomputers in real world environments.

Further, an embodiment of the present invention is able to address theSelf-Healing service level by automatically detecting and repairing bothknown and unknown anomalies. An embodiment implementing the adaptivereference model described herein is uniquely suited to automaticdetection and repair. The automatic service and repair also helps toeliminate or at least minimize the need for Self-Service and Desk-sideVisits.

Embodiments of the present invention provide advantages at the AssistedService level by providing superior diagnostic capabilities andextensive information resources. An embodiment collects and analyzesmassive amounts of end-user data, facilitating a variety of needsassociated with the human-based support model including: securityaudits, configuration audits, inventory management, performanceanalysis, trouble diagnosis.

The foregoing description of embodiments of the invention has beenpresented only for the purpose of illustration and description and isnot intended to be exhaustive or to limit the invention to the preciseforms disclosed. Numerous modifications and adaptations thereof will beapparent to those skilled in the art without departing from the spiritand scope of the present invention.

What is claimed is:
 1. A method of detecting abnormal system states incomputers, comprising: receiving snapshots from a plurality of softwareagents respectively residing on a plurality of computers within apopulation of computers, the snapshots including data indicating thestate of respective ones of the plurality of computers; automaticallygenerating an adaptive reference model comprising a rule set customizedto characteristics of the population of computers, the rule set beingdeveloped by identifying patterns among the snapshots from the pluralityof computers, the adaptive reference model being updated upon receipt ofrespective snapshots from the plurality of computers, and being modifiedto account for known trouble conditions within the population ofcomputers; and comparing a snapshot from at least one of the computersto the adaptive reference model to determine whether an anomaly ispresent in the state of the at least one of the computers.
 2. The methodof claim 1, further comprising: comparing the anomaly to a recognitionfilter to diagnose a trouble condition on the at least one of thecomputers; and in the event of a trouble condition, generating anautomated response to the trouble condition.
 3. The method of claim 2,wherein the automated response is a generic response not specific to aparticular asset of the at least one computer, and wherein the methodfurther comprises: sending the generic response and a set of anomaliesfound in the snapshot to the at least one computer, the set of anomaliesindicating assets of the at least one computer whose states areanomalous; and applying the generic response to the anomalous assets tocorrect the trouble condition.
 4. The method of claim 3, wherein thegeneric response includes at least one of: installing a missing softwarecomponent, removing an undesirable software component, and restoring anincorrect registry setting.
 5. The method of claim 2, wherein therecognition filter comprises a particular pattern of anomalies thatindicates the presence of a particular root cause condition or a genericclass of conditions.
 6. The method of claim 1, further comprising:comparing a plurality of anomalies associated with a particular snapshotwith a recognition filter to diagnose a trouble condition; anddiagnosing a trouble condition on the at least one of the computers inresponse to at least a subset of the plurality of anomalies matchinginformation in the recognition filter.
 7. The method of claim 1, whereinindividual snapshots include data associated with at least one of:system files, application files, a registry entry, a performancecounter, a process, a communication port, a hardware configuration, alog file, a running task, services, and network connections.
 8. Anon-transitory computer readable medium storing instructions, that whenexecuted by a computer, cause the computer to perform functions of:receiving snapshots from a plurality of software agents respectivelyresiding on a plurality of computers within a population of computers,the snapshots including data indicating the state of respective ones ofthe plurality of computers; automatically generating an adaptivereference model comprising a rule set customized to characteristics ofthe population of computers, the rule set being developed by identifyingpatterns among the snapshots from the plurality of computers, theadaptive reference model being updated upon receipt of respectivesnapshots from the plurality of computers, and being modified to accountfor known trouble conditions within the population of computers; andcomparing a snapshot from at least one of the computers to the adaptivereference model to determine whether an anomaly is present in the stateof the at least one of the computers.
 9. The computer readable medium ofclaim 8, further comprising instructions, that when executed, cause thecomputer to compare the anomaly to a recognition filter to diagnose atrouble condition on the at least one of the computers, and, in theevent of a trouble condition, to generate an automated response to thetrouble condition.
 10. The computer readable medium of claim 9, whereinthe automated response is a generic response not specific to aparticular asset of the at least one computer, and wherein the computerreadable medium further comprises instructions, that when executed,cause the computer to: send the generic response and a set of anomaliesfound in the snapshot to the at least one computer, the set of anomaliesindicating assets of the at least one computer whose states areanomalous; and apply the generic response to the anomalous assets tocorrect the trouble condition.
 11. The computer readable medium of claim10, wherein the generic responses include at least one of: installing amissing software component, removing an undesirable software component,and restoring an incorrect registry setting.
 12. The computer readablemedium of claim 9, wherein the recognition filter comprises a particularpattern of anomalies that indicates the presence of a particular rootcause condition or a generic class of conditions.
 13. The computerreadable medium of claim 8, wherein the instructions for comparing thesnapshot to the adaptive reference model include instructions fordetermining whether an asset value contained in a snapshot is anomalous.14. The computer readable medium of claim 8, wherein the instructionsfor comparing the snapshot to the adaptive reference model includeinstructions for tracking relationships between assets and identifyingan anomaly in response to an asset being unexpectedly absent from orpresent in a set of assets in a snapshot.
 15. A system for detectingabnormal system states in computers, comprising: a collector componentconfigured to receive a plurality of snapshots from a plurality ofsoftware agents respectively residing on a plurality of computers withina population of computers, the snapshots including data indicating thestate of respective ones of the plurality of computers; and an analyticcomponent operable to automatically generate an adaptive reference modelcomprising a rule set customized to characteristics of the population ofcomputers, the rule set being developed by identifying patterns amongthe snapshots from the plurality of computers, the adaptive referencemodel being updated upon receipt of respective snapshots from theplurality of computers, and being modified to account for known troubleconditions within the population of computers, wherein the analyticcomponent compares a snapshot from at least one of the computers to theadaptive reference model to determine whether an anomaly is present inthe state of the least one of the computers.
 16. The system of claim 15,wherein the analytic component compares the anomaly to a recognitionfilter to diagnose a trouble condition on the at least one of thecomputers.
 17. The system of claim 16, wherein the analytic componentcompares the trouble condition to a response agent library and generatesan automated response to the trouble condition.
 18. The system of claim17, wherein: the automated response is a generic response not specificto a particular asset of the at least one computer; and the analyticcomponent sends the generic response and a set of anomalies found in thesnapshot to a software agent residing on the at least one computer, theset of anomalies indicating assets of the at least one computer whosestates are anomalous.
 19. The method of claim 16, wherein the genericresponses include at least one of: installing a missing softwarecomponent, removing an undesirable software component, and restoring anincorrect registry setting.
 20. The system of claim 16, wherein therecognition filter comprises a particular pattern of anomalies thatindicates the presence of a particular root cause condition or a genericclass of conditions.